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1. Introduction 


Although the basic properties of Grébner bases in polynomial rings over a ring C are well 
known (see Adams and Loustaunau, 2003), they have not been studied very much, mainly because 
they were considered as academic, in contrast to the case where the ground ring C is a field. 
Recently however, Grébner basis techniques in polynomial rings over C = Z/m (in particular Z/2") 
have attracted some attention due to their potential applications to proving correctness of data 
paths in system-on-chip design (cf. e.g. Greuel et al., 2008; Shekhar et al., 2005; Wienand et al., 
2008). 

When the underlying ring C has only finitely many elements, then there exist polynomials in 
C[x1, X2, ..., Xn] which evaluate to zero for all (a1, a2,..., dn) € C", called vanishing polynomials. 
Thus, any polynomial function f : C" — C given by an arbitrary element f € C[x1, X2,..., Xn]; 
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will have many alternative representations in C[X1, X2,..., Xn], asf =f +g, for all g that constantly 
vanish on C". All vanishing polynomials constitute an ideal Ip. 

In the applications mentioned above, not the polynomials but only the polynomial functions are 
of interest. Thus, if we want to apply algebraic methods we need to be able to efficiently compute 
normal forms of polynomials with respect to a Grobner basis of I. In the presented paper, we set the 
theoretical ground and provide fast algorithms for doing these computations. 

From a mathematical point of view, Ip C Z/m[x1, X2,..., Xn] has some interesting properties. In 
this paper, we will give an explicit minimal strong Grébner basis G,, for Ip. As will turn out, Gp is a 
Grobner basis with respect to every global monomial order. Moreover, we will show for any alternative 
minimal strong Grébner basis G of Ip C Z/m[Xx,, X2,..., Xn] that the sets of leading terms of G,, and 
G are the same up to multiplication by units. This is remarkable, since the ring Z/m has zero divisors. 
In general, the leading terms of two minimal strong Grébner bases of an ideal I C C[x1, X2,..., Xn] 
need not be related by a unit but only by some element of C. We will prove both properties and show 
also that in general all minimal strong Grébner bases of an arbitrary ideal I C C[x1, X2,..., Xn] have 
the same number of elements. 

From a practical point of view, as mentioned above, engineering tasks involving the computation 
of Grébner bases over finite rings will often need to deal with vanishing polynomials. This is due to 
the fact that normally the elements of a Grobner basis G will be used to decide the consistency of a 
mathematical model. And typically, such a check involves the question whether the set of zeros of 
all polynomials f € G coincides with the set of all feasible input-output vectors of the modelled 
artifact; see also Greuel et al. (2008). Our interest was specifically spurred by a cooperation with 
the local Electronic Design Automation Group in which we use Grobner bases to formally verify chip 
designs. More precisely, a given verification task is translated into a polynomial ideal in Z/2*, where 
typically k = 32 or k = 64; cf. Wienand (in preparation). For the special case of polynomial datapath 
verification we also refer to Wienand et al. (2008) in which it was shown that the Grébner basis 
approach proves tractable for industrial applications where standard property checking techniques 
failed. 

This paper is organized as follows. Section 2 briefly recalls the basic concepts from the theory of 
polynomial rings and Grébner bases needed later. Section 3 starts by presenting canonical members 
of the ideal of vanishing polynomials Ip C Z/m[Xx1, X2,..., Xn]. Next we show that the leading 
term of any given vanishing polynomial is divisible by the leading term of an appropriate canonical 
member. This relation enables us to finally construct an explicit minimal strong Grébner basis G,, of 
Ip C Z/m[Xx1, X2,..., Xn]. We also show that the size of G,, is of polynomial order of degree k in the 
number of variables n, when we are in the practically relevant case m = 2*. 

The theoretical results are followed by algorithms for computing reduced normal forms 
with respect to the constructed basis, and for recursively computing a Grébner basis of Ip C 
Z/m[X1,X2,...,Xn] along the prime factorization of m. The normal form algorithm has been 
implemented in the computer algebra system SINGULAR (Greuel et al., 2009) and successfully applied, 
(Wienand et al., 2008). 


2. Preliminaries 


Let C be a commutative, noetherian ring with 1, and C[x] := C[x1, X2,...,X,] a multivariate 
polynomial ring over C, where n > 1. For any multi-index a = (a1,...,@n) € {0,1,2,...}",a 
product of variables x* := x{! ---x®" is called a monomial, and a product a - x* witha € C is called a 
term. 


Given two multi-indices a = (a@j,...,Q@n),B = (fi,.--, Bn), we defineaw + B := (a, + 
Bi, .--+, Qn + Bn). We may compare a and f according to the predicatea < 6: Vie {1,...,n}: 
a; < fj, and similarlya ~ B :S a < BAa Fs B. Fora = (a1,...,Qn) € {0, 1,2, ...}", we write 
a! := ay!---ap!, and |a| := a, +--- +a. 


Moreover, we require the polynomial ring C[x] to be equipped with a global monomial order 
<, ie, < is a well-order on the set of monomials and satisfies x > x? = x*t” = x+Y for all 
a, B,y € {0, 1, 2,...}". Then < refines the partial order x. 
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Since we are going to work with divisibility in Z/m[x,, x2, ..., Xn], we need to distinguish between 
divisibility in Z/m and in Z. We set al, :@ dkeZ:b=a-kand a|_b <@ dkeZ: mi, (b—a-k), 
that is, b and a - k represent the same residue class in Z/m. For two monomials ax”, bx’, we say that 


ax” divides bx’, if q| b Aa < f.We then write ax” |bx’, using the ordinary symbol. 


AO) 


Let f =dg-x*™ +---+ ay ca be a polynomial in C[x1, X2,...,X,] witha; 4 0 for0 <i<k, 
0) me) 


( (k) n . 
andx* > x* >.--- > x* . We use the following notation: 


deg (f) = max{|w| |0 <i < k} total degree of f, 


LT (f) = ao- xe leading term of f, 
LM (f) = xe leading monomial of f, 
LC (f) = do leading coefficient of f, 


L(A) = (LT(f) |fe A) cheq.xp = xa] leading ideal of A, 
forA C C[xX1, X2,.--,Xn], AFG. 


For an ideal I C C[x1, X2,..., Xn] a finite set G C C[x1, X2,..., Xn] is called a Grébner basis of | if 
GclI, and Ld)=L(G). 

That is, G is a Grobner basis, if the leading terms of G generate the leading ideal of J. Note that in 

general, all defined objects depend on the chosen monomial order. Especially, a set G may be a Grobner 

basis only with respect to a certain monomial order. We also remind the reader that with the given 

definition, G already generates I, cf. Adams and Loustaunau (2003). 

Gis furthermore called a strong Grébner basis if for any f € I\ {0} there exists a polynomial g € G 
satisfying LT (g) |LT (f). A strong Grébner basis G is called minimal strong if LT (g,) { LT (g2) for all 
distinct g,, g2 € G. It is a well known fact that a strong Grébner basis can always be constructed from 
a given Grobner basis when C is a principal ideal domain, see e.g. Adams and Loustaunau (2003). 

Note that if C is a field, any non-zero coefficient of a term is invertible in C, and thus L(A) = 
(LM (f) |f € A). It is easy to verify that in this case every Grobner basis is a strong Grébner basis. As 
the following example shows, this does in general not hold when C is a ring: 


Example 2.1. Consider C := Z/6, and the polynomial ring C[x] with one variable. Then G := {2x, 3x} 
is a Grobner basis of the ideal J := (x). But since neither 2x nor 3x divide x, Gis not a strong Grobner 
basis. 


We shall now capture the central notions of this paper. 


Definition 2.2. To any polynomial f € C[Xx1,X2,..., Xn] we associate the polynomial function f : 
C" > C, (C1, C2, ---,Cn) FH f(C, G2, ..., Cn). We call f a vanishing polynomial if the function f is 
identically zero. 

The set Ih = {f € C[X1,X2,...,Xn] | f isa vanishing polynomial} is obviously an ideal in 
C[X1, X2, ..., Xn], called the ideal of vanishing polynomials. 


3. A minimal strong Grébner basis of the ideal of vanishing polynomials 
3.1. The ideal of vanishing polynomials 


From now on let the coefficient ring be C = Z/m, where m > 2, except stated otherwise. The 
following results were inspired by the work of Singmaster (1974), Kempner (1921), Halbeisen et al. 
(1999), and Hungerbiihler and Specker (2006). Already in Lemma 5 of Kempner (1921), a univariate 
version of the following lemma was proven. Theorem 7 of Halbeisen et al. (1999) restated this result, 
and Hungerbiihler and Specker (2006) came up with a generalization to multivariate polynomial rings 
over Z/m. 


Lemma 3.1. Leta € Zand a = (a1,...,@n) € Ng such that m|, aa!. Then 


Pa.a i= ol Te —lI)EZ/m[xXy,..., Xn] 


i=1 [=1 
is a vanishing polynomial. 
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Proof. Fix an arbitrary point (cy, C2,...,C,) € C”. Then pg q(Ci1, C2,..., Cn) contains, for all i, by 
definition the a; successive factors c; — 1,c; — 2,..., Cc; — a@;. Independent of the value of c;, these 
contain all factors from 2 up to q;. Therefore, a;! divides py.a(C1, C2,--.-, Cn), for all i. By combining 
these results, it follows immediately that aa;!---a@,! divides py.q(C1, C2,..., Cn). With m|, aa! this 
yields py .a(C1, C2,---, Cn) = 0 modulo m. “ 


Let us now take a closer look at an arbitrary vanishing polynomial: 
Lemma 3.2. Let f € Ig C Z/m[x1, X2,..., Xn] be an arbitrary vanishing polynomial with LT (f) = bx?. 
Then m|,, bp}. 


For the proof we use some of the ideas introduced in Hungerbiihler and Specker (2006), which are 
based on the notion of partial differences in the multivariate setting. Already Carlitz used partial 
differences in the univariate case, see Carlitz (1964), to give a necessary and sufficient condition for a 
function f over Z/p* to be a polynomial function.! 


Proof. Let C[x;, ...,X,] denote an arbitrary polynomial ring over n > 1 variables, and let h € C[x] 
be a polynomial. Then we may define the ith partial difference 
Vih = W(Xq, ..., Xi, Xi + 1, Xing, ~~ Xn) — Wd, . «5 Xin, Xi, Xie, - Xn), 
for 1 < i < n. Note that V; is a linear operator. 
Now we can define the successive application of the operator by 
Voh:=h, and Vit'h:= ViV*h, fork > 0. 
(For n = 1, V‘h coincides with Carlitz’ Akh; see Carlitz, 1964.) 

Since obviously, VjVjh = h(x1,...,% + 1,...,%) + 1,..-,X%n) — Wd, 26, % + :1,---,%n) — 
A(X, 26. X41, ...,%n) +h, ..., Xn) = ViVih, for alli,j € (1, ..., nm}, we can extend the operator 
to arbitrary multi-indices, that is, witha = (a1,...,@,) € {0, 1, 2,...}", the term 

Veh := Vi'V5?... Verh 
is independent from the order of application of the V; operators and hence well-defined. 

Let us consider the difference (x; + 1)* — xt =k. + g(x;), where g consists of lower terms 
only, that is, deg (g¢) < k—1.A simple induction shows that Véxi = k! and Vix = 0, whenever j > k. 
Let now ax” := LT (h) denote the leading term. Then, mainly due to the linearity of the V; operators, 
it is easy to see that the previous facts can be further abstracted to the general statements 

V°h=aa! and V’h=0, forallB>a. 


We apply the first equation to the vanishing polynomial f over the ring Z/m: With f also V’f = bp! 
must be a vanishing polynomial, by construction. But this implies b6! = 0 modulo m. 


3.2. A minimal strong Grébner basis of Ig 


The above lemmas suggest to consider the set of all polynomials py. for which neither aw nor a can 
be replaced by a smaller multi-index or element of Z/m, respectively, without losing the condition 
m|_ aa!. (This minimality of a has been inspired by the so-called Smarandache function which maps 
mto min{k € N | ml, k!}. This function played a role in previous works which studied the univariate 
case, and had been named after Smarandache, see Smarandache (1980), although the idea had been 
introduced earlier by Kempner in Definition 1 of Kempner (1921).) We thus define 

Sm := {(@,a)|1<a<m, al,m, w€NG, ml, aal, 
VB<a: mt, aB!}, 
Vb <a, bla : mt, bat}, 

Gm i= {Po,a | (a, a) € Sm}. 


1 Le. f(a) = g(a) mod p*, for all a € Z/p* and some polynomial g € Z/p*[x]. 
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Note that, according to Lemma 3.1, all polynomials in G,, will still be elements of Ip. And by Lemma 3.2, 
we can hope to have constructed a strong Grébner basis. 


Theorem 3.3. Let m > 2 andn > 1 be arbitrary integers. With the above notations, Gj, is a minimal 
strong Groébner basis of the ideal of vanishing polynomials Ip C Z/m[X1, X2, .-., Xn], independent of the 
global monomial order. 


Before we prove the theorem, let us take a look at an example. 


Example 3.4. Letm = q:-q2--- qx bea product ofk > 1 mutually distinct primes, andn > 1 arbitrary. 
We assume q; < G2 < +--+ < qx. Then we can immediately write down all elements of G,,: 


(x; — 1)(% — 2)- ++ (%i — 4k), 
Qk: (Xj — 1)(%j — 2) +++ (Xi — Ge-1), 
Gk * Uk—1* (Xi — W(X — 2) +++ (Xi — Ik-2), 


Ok * Uk—-1°** Ga> (Xi — 1) (Xi — 2) +++ (Xi — G1), 
in each row for alli € {1,2,..., n}. 


Note that the first type of polynomial is in Gp, as q,! already contains all q;, thus ml, dx!. Also, we 
need to have all q, polynomial factors since, for all r < qx, qx 1 r!,iie.m {, r!. For the following 
polynomials, the argument is similar. Moreover, it is easy to see that we do not have elements in Gn 
involving two or more variables, and the presented polynomials are all elements of G,,. 

In this special case |G,,| = k-n, and the maximal degree is qx. This means that the size of the basis 
is only linear in the number of variables. 

For the case k = 1, Z/q; is a field, and we obtain only the n polynomials in the top row, which are 
well-known for this case. 

We now prove the theorem: 


Proof. Let us fix m > 2, the number of variables n > 1, and an arbitrary global monomial order. 
We first show that G,, is indeed a Grobner basis of Ip. To this end, it suffices to show that (i) S,, and 
hence G,, is a finite set, (ii) Gm C Ip, and (ili) L (Io) C L(G), since (ii) implies the other inclusion 
L(Gm) C L (Io). 


(i) Since (a, a) € S, implies a < (m, m, ..., m), the set is clearly finite. 
(ii) Gm consists of polynomials py .q with m|, aa!. Then Gj C Ip by Lemma 3.1. 
(iii) Let f € LU) be arbitrary. Then there exist some integer N > 1,h; € Z/(m)[X1, X2,..., Xn] and 
fi € Io, 1 < i < N, such that 
N 
= oh: LT(f). 

i=1 
Writing ax” := LT (f), we obtain m|, ajo?! from Lemma 3.2. Now either (w, aj) is already 
an element of Sm. Or we can replace a; by some bj|,, a; and/or a® by some B® ~< a such that 
(B®, bi) € Sm. We can subsume both cases in saying that, for eachi € {1,2,...,N}, there is some 


(B®, bj) € Sm such that bjxP® |LT (f,). With appropriate polynomials g;, 1 < i < N, this amounts to 


N 
f= ba hj - gi - LT (pg 5,) » 
i=1 
ie. f € L(Gn). 
Next, let f € Ip. Then, with the same argument as for the f; above, there exists a p,- € Gm such 
that LT (p,,c) |LT (f). This shows that Gp, is a strong Grdbner basis. 
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It remains to show that G,, is minimal. To this end, pick two pairs (a, a), (6, b) € Sm such that 
ax” |bx?, Then q|_, b, al, m, bl, m, anda < $. We need to prove thata = banda = £. Computing 
in Z, take a prime factor q of band k > 1 maximal such that g*|,_ b. Suppose q* {, a. Then aa! 
would have at least one less factor g in its prime factorization than ‘ba!. But since mI, aa!, we then 
had m|,,b/q - o!|,.b/q - B!, and b would not be minimal in (6, b) € Sm. We conclude that b|, a. We 
write this asa = d- b for some d|,, m. Now q\ b, that is, m|,a-c — b for some c. Putting “things 
together we get i= =al, ml, bed —b= b(cd — 1), Hence dl, (cd — 1) which can only hold for d = 1, 
implying a = b, But then we must also havea = B, since otherwise B would not be minimal in 


(B, b) € Sm. 


We now show that leading terms of minimal strong Grébner bases of Ip C Z/m[X1, X2,..., Xn] are 
unique, up to multiplication by units of Z/m. We prove this result as a consequence of a more general 
statement for ideals over arbitrary commutative rings with 1 that has, to our knowledge, not been 
stated before. (Note the similar statement in the field case; see e.g. Proposition 1.8.4 in Adams and 
Loustaunau (2003).) 


Theorem 3.5. (a) Let G,F be two minimal strong Grébner bases of an arbitrary idealI C C[x1, 
X2,..-,Xn], where C is any commutative ring with 1. Then |G| = |F|, and the sets of leading terms in 
G and F coincide up to multiplication by elements of C, i.e., 


VgeG AfeF dcecC LT()=c-LT(f). (*) 


(b) In the case of C = Z/mand I = Ip, the ring elements c in (*) can be chosen to be units of Z/m. 
Note that the second statement holds for any ideal, if the ring C is a domain. 


Proof. (a) Starting with the proof of (*), we pick any g € G C I. Then, by the strength of F, there is 
some f € F such that LT (f) |LT (g). Vice versa, by the strength of G, there must be some g’ € Gsuch 
that LT (g’) |LT (f). Therefore, LT (g’) |LT (f) |LT (g), which implies g = g’, by minimality of G. But then 
the leading monomials LM (f) and LM (g) must also coincide, yielding the desired relation between 
LT (f) and LT (g). 

Similar to the previous argument, it is easy to see that no two distinct leading terms in F can fulfil 
a relation (*) with the same leading term in G, and vice versa. This implies the equality |{LT (g) | g € 
G}| = |{LT (f) | f © F}| which clearly amounts to |G| = |F|, by the minimality of G and F. 
(b) We first choose G = G,, to be the explicitly given Grobner basis, and F any other minimal strong 
Grobner basis of Ip C Z/m[x1, X2,..., Xn]. Consider a relation as in (*), ie., b- x® = c- a-x%, where 
(B, b) € S, anda - x® denotes the leading term of some f € F. Then b = a- c mod mn, in other words 
m|,,ac — b. Now let a := gcd (a, m) be the maximum portion of a that divides m, that is, a = a- u, 
where gcd (u, m) = 1 which is equivalent to u being a unit in Z/m. Since a, m|,,ac — b, we obtain 


al, b. 
Z 
We want to show a = b, so for a contradiction let us assume a < b.f € F C Ip implies m|, aa! 
by Lemma 3.2, hence m|_aa! = af!, as the factors in a/a do not affect divisibility by m and since 


obviously a = £. But this means that we could replace b by the smaller a and still preserve the 
condition ml, aB!. This contradicts the minimality of b in (B, b) € Sm. Hence a = b. 


1 


We thus arrive at the claimed relation u - bx? = ax”, and c can be replaced by the unit u-! € 


(Z/m)*. 

We have shown that we can relate the leading terms of any minimal strong Grébner basis F of 
Ip C Z/m[x1, X2,...,Xn] to the leading terms in G,, by units. By transitivity, we can now clearly 
also relate the leading terms of any two minimal strong Grébner bases by units. This concludes the 
proof. 


Note that an arbitrary factor c, relating two leading terms, need not necessarily be a unit. For example, 
consider the polynomial f(x,y) = 3(x — 1)(x — 2) - (vy — 1)(y — 2) © Gj. We may switch to 
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another minimal strong Grébner basis of Ip C Z/12[x, y], simply by replacing f (x, y) by f’(x, y) = 9 
(x—1)(x—2)-(y—1)(y—2). Note that over Z/12 the ideals (f) and (f’) are identical. Thus, Gm \ {f}U {f’} 
must still be a minimal strong Grobner basis. Now obviously LT (f’) = 3-LT(f), but 3 is not a unit in 
Z/12. 

We point out that minimal strong Grébner bases are in general not unique. This is due to the 
fact that we only consider leading terms and do not require tail reduction here. For example, in the 
case of the ideal Ip, we can easily modify the basis G,, and still obtain a minimal strong Grébner 
basis. To this end, we may pick two elements f,g € G, with LM(g) < LM(f) and replace f by 
fg. 

Let us once again take a look at the complexity of G,,, that is, the size |G,,| as a function of the 
number of variables n. The discussion that followed Example 3.4 already made it clear that |G,,| 
is only linear in n, when all prime factors of m are mutually distinct. In the general case when 
m= i . q see qi," with some e; > 1, the construction is combinatorially more complex. However, 
based on the following investigation for the practically relevant case m = q*, we conjecture that for a 
fixed m the size of G,, is always of polynomial order in n. 

Since we are interested in the asymptotic behaviour of |G,,| for a large n, we may assume that n is 
much larger than m = q*. We can decompose Gm» into the disjoint union 


Gm = U G”, where 
O<j<k 


GY = {¢-@%—1)---@—(k-j@ | 1<isn 


Uf - (xi, — 1) +++ Gi, — $19) %, — 1) +++ (Xi, — 529) | 
1<i,b < mt Ais 1 < S41, 5235; +52 =k —j} 


Uld - i, — 1) +++ i, — DEH, — 1+ @_— D> 
(Xi,_; — 1) +++ (%i_j — 9) | 1<i, <n;i, Fi, foruF v}, 


that is, in c® we have the constant coefficient q’, and we have polynomials in 1 up to k — j variables. 
With hj := ic? |, we obtain the very rough estimates 


kj 
n n : n n 
ki era . KK 1 = aR < oR, 
n+ (5) + +(,°)) i d I <\, k 
a ae 
T= \R-jy 


For h := |Gm| = )io<jcx hj we thus get 


k-1 
"y<S(" Jsnsk-(")-e = (") 4, 
k a=; k-jJ/ 7 7 k k 


and h = |G,,| is of polynomial order of degree k in the number of variables n. 


hy 


lA 


3.3. Computing the reduced normal form of a polynomial 


After we have given a minimal strong Grobner basis of Ip C Z/m[X1, X2,..., Xn], we shall now 
turn to computing representatives of the residue classes in (Z/m[X1, X2, ..-, Xn]) /Io. When we impose 
certain bounds on the coefficients of all monomials, these representatives are unique: 


568 G.-M. Greuel et al. / Journal of Symbolic Computation 46 (2011) 561-570 


Proposition 3.6. Every residue class f € (Z/m[X1, X2,---,Xn]) /Io has a unique representative f € 
Z/m[X1, X2,.-.-,Xn] of the form 
m 
f= > dyX*, where 0 < dy < aa for alla. 
ae{0,1,...,m—1}" gcd (m, a!) 


Note that, whenever m|_ a!, the given bound forces a, to be zero. 


Proof. Let f € Z/m[x,, X2,...,Xn] be an arbitrary polynomial. Suppose f contains a monomial ax 
for whicha > c := POE Due to division with remainder of a by c in Z, we obtainad = k-c+r 
for some k € {1,2,...},and0 < r < c. Now, m|_ PEE In other words, m|_ ca!, and pu.c € Ip by 


Lemma 3.1. 

As a consequence, f and f’ := f — k- py; lie in the same residue class. Moreover, the coefficient 
of x* inf’ isa — k- c = r, for which the claimed bound holds. Since we have a global order on the 
monomials, we need only finitely many repetitions of the presented reduction step, in order to arrive 
at a polynomial g which also lies in the residue class of f, and the coefficients of which all satisfy the 
required bound condition. 

To prove the uniqueness of the constructed representative, assume we have two representatives 
fi, fo of the residue class of f, realising all coefficient bounds. Then, by defining either g := f; — f2 or 
g := fo — fi, we obtain a polynomial g € Ip with LT (g) = ax® and0O <a < By Lemma 3.2, 
we know that m|_ acv!. 

We need to show that a = 0; so for a contradiction, let us assume that a > 0. With b := gcd (m, a) 
we still have ml, ba!, ie, 7 |, av! Then also ele gcd (m, a!) which implies ml, b - gcd(m, a!). But 
b-gcd(m, a!) < a-gcd(m, a!) < m, yielding "the desired contradiction. 


m 
gcd(m,a!)* 


As an immediate consequence, we can count the number of polynomial functions which is the same 
as the number of residue classes in (Z/m[X1, X2,..-, Xn]) /Io: 


Corollary 3.7. The number of polynomial functions (Z/m)" — Z/m is given by 
m 
N= 


ae ye 
ae{0,1,...,m—1}" gcd (m, a!) 


In comparison, the number of all functions (Z/m)" — Z/m equals 


mm") — I] m I] gcd (m, a!) . 


ae{0,1,....m—1}" aeé{0,1,...,.m—1}" 


II 
2 


Z/m—+ Z/m_ No.offunctions No. of polynomial functions 


m = 2? 256 64 
m = 28 10816 10'6 
m= 216 10315652 10°2 
m= 232 1041373247567 10184 


Hence, if m is not prime, there are much fewer polynomial functions (Z/m)" — Z/m than 
functions. This has the consequence that not every problem which can be modelled by functions, like 
problems coming from formal verification, can be modelled by polynomials over Z/m (cf. Wienand 
et al. (2008) where, nevertheless, polynomial ideals over Z/2* have been used successfully). 

Following the idea in the proof of Proposition 3.6, we are able to present a very fast algorithm for 
computing the reduced normal form, that is, the unique representative of a residue class in the ring 
Z/m[X1, X2, ..-, Xn] module Ip. (see Shekhar et al. (2005) for Z/2*): 
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Algorithm 1 Reduced normal form in Z/m[x,, x2, ..., Xn] with respect to Ip 
Input: f € Z/m[X1, X2, ..., Xn] a polynomial, > any monomial order on Z/m[Xx,, X2,..., Xn] 
Output: h the reduced normal form of f with respect to Ip 
h:=0 
while f 4 0do 
ax” := LT (f) 
gcd(m,a!) 
solvea=k-c+rwithk €e NandO<r«<c 
h:=h+rx® 
f =f —k-+ pa — 1x” 
end while 
return h 


Note that the algorithm makes sure that f + h will always represent the same residue class, as 
Pa.c € Ip. Since initially h = 0, this class must be the residue class of f. After termination, which is 
ensured by the global order, h consists only of terms with appropriate coefficient bound, i.e., h must 
be the unique representative as given in Proposition 3.6. 


3.4. Computing minimal strong Grébner bases over different rings Z/m 


The simple structure of minimal strong Grébner bases provides us with a recursive means to 
construct G,, from bases for smaller m. We are especially interested in computing Gy from the 
elements of the already computed set Gn, where M = q- m with q a prime number. The following 
pairwise disjoint decomposition of Gy is easy to verify: 


Gu = {Dea | Poa (= Gn, (a, a) S Su} 
U {Po,aq | Pa,a € Gm, (@, ag) € Sy} 
U {Po+p,b | Pa, € Gm, 1B € Bla, a,q) Ab|,M : (w+ B,b) € Sy}, 


where B(a, a, q) denotes the set of all 6 > (0,0,..., 0) such that (a + 6)! contains one more prime 
factor q than aa!. 

This decomposition says that we may already directly find elements of Gy in G,,. Or, secondly, we 
may build an element of Gy by multiplying an element of G,, by q. Besides altering the coefficient 
only, we can also try to enlarge the exponent vector of some Py.q € Gm such that the new exponent 
factorial (@ + 6)! contains one more prime factor q than aw!. However, enlarging the exponent may 
introduce many more divisors of M, so that in general we need to adjust the coefficient. It is easy to 
see that once a suitable 6 is found, we can set b = PCACESINE The search for suitable 6 can obviously 
be limited to the set defined by the condition 6 < (q, q,..., q), that is, we know a finite superset of 
B(q, a, q). 

In practice, all three cases may occur. The following examples are numbered according to the order 
in the above decomposition. (The number of variables, n, equals 2.) 


Example 3.8. 1. G3 C Gg, since 3! = 6 already contains all necessary factors; see Example 3.4 (and 
the remark regarding k = 1) to recall the elements of G3. 

2. With q any prime, we have p3,0),2 € Giz and pi3,0),2-¢ € Gi2.q- 

3. We have 6(x — 1) (x — 2)(y — 1)(y — 2) € Gog. We try to construct an element in G24.3 by enlarging 
the product of x and y terms. Since 6 - 2! - 2! contains one prime factor 3, we try to move to the 
target product (x — 1)(x — 2)(x— 3)(y— 1)(y — 2) (y — 3) which realizes one more factor 3 because 
3? |, 3!-3!. Now b = — 2 - = 2 and hence 2(x— 1)(x— 2): (x—3)(y— 1)(y—2)(y —3) € G2. 


gcd(72,3!-3!) 


The above decomposition of Gy, and the structure of G, for a prime q as discussed in Example 3.4, give 
rise to the following algorithm. 
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Algorithm 2 RecComp(M), Recursive computation of Gy 
Input: M ¢ {2,3,...} 
Output: Gy 
pick any prime factor g of M 
if M = q then 
A:= {q-e| 1 <i <n}, where the e; are the unit vectors in N” 
G = {Pu,1| a € A} 


else 
m := M/q 
H :=RecComp(m) 
G:={} 


for all py.q € H do 
if (a, a) € Sy then 


G:=GU {Paa} 
else 
G:=GU {Pa,aq} 
for all 8 € Bla, a, q) C {B|(0,0,...,0) x B x (q,q,...,q)} do 
“= Scd(M,(a-FB)) 
G:=GU {po+p.p} 
end for 
end if 
end for 
end if 
return G 
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